Biometric identity check

ABSTRACT

A portable data carrier comprises a communication means and a memory with a biometric template which is intended to be compared with a biometric sample for identity check. The biometric template is divided into a private part which is adapted to be exclusively used in the portable data carrier and a public part which is adapted to be transferred, with the aid of the communication means, to an external processing unit and be used therein. Moreover, a processing unit for use in biometric identity check is described, comprising a processor and a communication means. The communication means is adapted to receive a biometric sample and a public part of a biometric template, the processor is adapted to compare the received public part of the template with the biometric sample, and the communication means is further adapted to transfer, when a comparison criterion has been satisfied, at least part of the biometric sample to the portable data carrier for further comparison on the data carrier. A method for recording a biometric template and performing a biometric identity check is also described.

This is a 35 U.S.C. §371 filing of International Application No.PCT/SE01/00210, filed Feb. 6, 2001 that designates the United States ofAmerica and was published in English, and claims the benefit of filingunder 35 U.S.C. §119(a) of Swedish Application No. 0001576-8, filed Apr.28, 2000, and under 35 U.S.C. § 119(e) of U.S. Provisional ApplicationNo. 60/210,635, filed Jun. 9, 2000.

FIELD OF THE INVENTION

The present invention relates to a portable data carrier which comprisesa memory with a biometric template which is intended to be compared witha biometric sample for identity check. The invention further relates toa processing unit, a computer program product and various methods whichare intended for use in connection with biometric checking of identity.

BACKGROUND OF THE INVENTION

The access to information, to a room or the like must in many cases berestricted to certain individuals. This is the case, for instance, whenelectronic money transactions occur via the Internet, when in a hospitalthe access to case records is to be limited, or when only certainindividuals in a place of work are allowed to have access to certaininformation or certain rooms.

To this end, use is often made of what is referred to as intelligentcards or smart cards. A smart card can be described as a card in thesize of an account card which has a built-in processor, a memory andsome kind of communication interface, which in its simplest form mayconsist of one or more metal contacts.

Also so-called hardware tokens work essentially according to the sameprinciple as smart cards. They are typically used in a computer as a keyto “unlock” the computer and give a user access to information. Thedifference compared with a smart card is more of a practical type sincea hardware token can be directly inserted into the USB or serial port ofa computer while a smart card must be placed in a special smart cartreader which is connected to or incorporated in the computer. For thisreason, also the software on the hardware token differs somewhat fromthe software on smart cards, but their purpose is essentially the same.

On all smart cards that are used in the above contexts, sensitiveinformation is stored in the memory. A first part of the sensitiveinformation is reference information stored in advance about the user ofthe card. It is with this reference information that a comparison ismade every time the card user wishes to verify his right to use thecard.

Smart cards also contain a second part of sensitive information whichconsists of computer files which only the card user may access. They maycontain, for example, computer files with private encryption keys,longer passwords or other information that can be used to identify theuser. When the card user wants to verify that he has the right to accessto the sensitive information stored in the computer files on the smartcard, he places the card in a smart card reader and enters a pin code(PIN=Personal Identification Number). The pin code is limited to 16bytes and usually consists of four digits between zero and nine whichare matched with a reference pin code stored on the card. If the pincode corresponds with the reference, “the card is unlocked”, i.e. theuser gains access to the computer files containing the sensitiveinformation. Pin codes are presently used in many situations, and manypeople find it difficult to remember a number of different pin codes.Therefore, many people choose to use the same pin code in a number ofdifferent situations, thus deteriorating security.

For this reason, and with a view to further increasing security,alternative solutions have been presented, in which a user insteadidentifies himself with the aid of biometric information. By biometricinformation is meant information which is body-related andindividual-specific for the user. It may consist of, for instance, thepattern of the user's fingers, palm, iris, or some other informationwhich is not related to appearance but yet individual-specific, such asthe user's voice. A method in which a user identifies himself with theaid of his fingerprint typically proceeds as follows:

The user places his smart card in a smart card reader and one finger ona sensor which generates a digital image, i.e. a digital representation,of the fingerprint. The digital image of the fingerprint proceeds to anexternal processor, for instance a personal computer, where it ispreprocessed. In the preprocessing, the amount of information in theimage is reduced so that, for instance, a binarised image or parts of abinarised image are generated. A corresponding preprocessed image hasbeen stored on the card as reference information. This referenceinformation is usually referred to as a template. The external processorcollects the template from the card and compares this with thepreprocessed image of the finger. In case of correspondence, theexternal processor transmits a pin code to the card. This pin code actsas a key and gives access to the sensitive information stored in thememory of the card. If the template and the preprocessed imageinformation do not correspond with each other, no pin code istransmitted and the user cannot access the computer files with thesensitive information on the card.

Even if biometry is used so that the user will not need to use a pincode, a pin code is still transmitted at the last stage of theverification process since this pin code is necessary for the“unlocking” of specific files containing sensitive information on thesmart card. Thus the pin code must be hardcoded either in the softwarefor the application which communicates with the card, or in somehardware in the unit where the card is read and written. Consequently nosignificant increase of the security is achieved despite the use ofbiometry since there is still a risk that someone may access thecomputer files with sensitive information on the card by transmittingthe pin code to the card.

A further problem is that the template with which the matching occursmust be read from the card into the external processor in which thecomparison with the user's biometric data takes place. In the firstplace this is a security risk, and in the second place there aredirectives issued by computer security authorities in certain countrieswhich recommend that a biometric template should never leave the smartcard.

One solution to the above problems is presented in Swedish Patent No.8101707-1 which discloses an account card type data carrier which isprovided with verification equipment comprising a sensor on which a userplaces one of his fingers. The sensor records papillary line informationfrom the user's finger and calculates an identification bit sequencewhich is compared with a previously stored reference bit sequence. Ifthe bit sequences conform with each other, an acceptance signal isgenerated, which can activate an indication means or a connecting meanswhich makes the data carrier useable.

Although this solution eliminates the use of pin codes and lets thetemplate remain on the card all the time, certain drawbacks stillremain. For instance, the card cannot be a standard type smart cardsince such a card has no sensor and also does not have sufficientprocessor capacity to carry out the proposed method.

SUMMARY OF THE INVENTION

An object of the present invention therefore is to obviate, or at leastalleviate, the above problems and to provide an alternative solution forbiometric checking of identity, which solution has a high degree ofsecurity but yet allows use of e.g. a standard type smart card withlimited processing capacity.

According to the invention, this object is achieved by a portable datacarrier according to claim 1, a method for biometric checking ofidentity according to claim 15, a processing unit according to claim 22,a processing unit according to claim 24, a method for producing abiometric template according to claim 28, a method according to claim35, and a method for biometric checking of identity according to claim36.

More specifically, the invention concerns a portable data carrier,comprising a memory with a biometric template which is intended to becompared with a biometric sample for identity check. The biometrictemplate is divided into a private part which is adapted to beexclusively used in the portable data carrier and a public part which isadapted to be transferred to an external processing unit and be used inthe same.

By portable data carrier is meant a number of different portable units,such as smart cards, hardware tokens, MultiMedia Cards (MMC) etc, whichall have the feature in common that they have a safe memory area whichcan be used for biometric checking of identity, i.e. for checking that abiometric template and a later recorded biometric sample originate fromthe same person.

By the expressions biometric template and biometric sample are meantdata that is unique to an individual. Examples of such data can be thepattern of the person's fingers, palm, iris, or the person's voice. Thetemplate relates to reference information which is stored on the datacarrier, whereas the sample relates to biometric data which must bepresented by a person on each occasion of checking his or hers identity.

The fact that the template is divided into a private and a public partmeans that a certain part of the template never leaves the data carrierand that this part is thus not accessible to an unauthorised person,which results in significantly increased security compared with the casewhere the entire template is read from the data carrier and comparedwith a sample in an external unit.

The public part, however, is intended to be transferred to the externalprocessing unit and to be used only in the same. This makes it possibleto carry out some processor-demanding processing in the externalprocessing unit so that less processing capacity in the data carrier isrequired, thus making it possible to use, for example, standard typesmart cards.

Moreover a possibility of utilising different security levels fordifferent applications is created since it is possible either to merelymake a first comparison between the public part of the template and thebiometric sample in the external processing unit or, in addition, tomake a comparison in the data carrier between the private part of thetemplate and the biometric sample.

This means that first a check of the biometric sample is made in theprocessing unit, and if this check satisfies a predetermined comparisoncriterion, one or more parts of the biometric sample are transferred tothe data carrier for a final check in the same. By the final identitycheck being made on the data carrier, no pin code need be generated inthe processing unit and transferred to the data carrier. Instead one ormore parts of the biometric sample are transferred, which is much moredifficult to fake since it is much more complex than a common pin code.Security also increases still more since it is impossible for anill-intentioned person to steel or copy the entire template from theprocessing unit since only part thereof leaves the data carrier to beused in the first comparison in the processing unit.

According to a preferred embodiment, the private part of the biometrictemplate comprises at least one partial area, which constitutes aprivate partial area, of a digital image of an individual-specificparameter. Preferably a plurality of private partial areas are used.

Thus the private partial area is a subset of a digital image. The use ofa partial area of an image in a biometric template is advantageous sincea suitably selected partial area contains much information which can beused in the identity check. One or more suitably selected partial areas,e.g. fingerprint partial areas with special line formations, may resultin almost the same good security as if a complete image of theindividual-specific parameter is used while at the same time the amountof information used in the comparison has been reduced to a considerableextent. It goes without saying that more partial areas result in greatersecurity, but on the other hand greater processing capacity of the datacarrier is necessary.

The digital image can be made by means of thermal technique, opticaltechnique, capacitive technique or some other convenient technique. Itmay be processed after the actual recording, for instance binarised.

The individual-specific parameter can be, for example, the pattern of aperson's iris or retina, a handprint of some other individual-specificparameter which can be reproduced. However, it is preferably afingerprint. This enables a simple recording process where conventionalsensors can be used and the individual can easily provide the biometrictemplate.

In a preferred embodiment, the public part of the biometric templatecomprises information which is intended to be used for determining areference point in the biometric sample, which reference pointcorresponds to a reference point in the biometric template.

As a result, it is possible to determine how the biometric sample istranslated in relation to the biometric sample, which makes it possibleto select areas of the biometric sample which correspond to the privatepartial area or areas.

In a preferred embodiment, the public part of the biometric templatecomprises information which is intended to be used for determining howthe template is oriented in relation to the biometric sample.

It is an advantage to use the public part of the template for thispurpose since, if one knows how the template is oriented in relation tothe biometric sample, the comparison between the biometric sample andthe private partial area in the data carrier requires less processorcapacity as the comparison then need not take place for differentturning positions. Moreover, a reference point is obtained for selectingthe areas of the biometric sample that are to be sent to the datacarrier for comparison with the private partial area or areas.

In a preferred embodiment, the public part of the biometric templatecomprises at least one partial area, which constitutes a public partialarea, of the digital image of the individual-specific parameter.

In the same way as the private partial area, the public partial areathus is a subset of a digital image which represents, for instance, afingerprint, the pattern of a person's iris or retina, a handprint orsome other reproducible individual-specific parameter. The publicpartial area, which preferably is a single partial area in the centre ofthe fingerprint, makes it possible to determine the orientation of thetemplate in relation to the sample as well as a reference point forselection of sample partial areas to be sent to the data carrier basedon merely a comparison between the partial area and the sample indifferent relative positions. Such a match produces a reliable result.

In a preferred embodiment of the portable data carrier, the number ofprivate partial areas is greater than the number of public partial areasin the template. As a result, only one or a few areas need betransferred from the data carrier to the external processing unit. Thecomparison with the biometric sample in the external processing unitwill therefore be quicker and at the same time security increases stillmore since a large part of the template never leaves the data carrier.

For instance, there may be a single public partial area which iscollected from the centre of a fingerprint and a plurality, for instancefour to eight, private partial areas which are placed in predeterminedpositions at a distance from the public partial area.

In an alternative embodiment, at least one private partial area islocated in immediate connection with a public partial area in thebiometric template. This makes it easy to determine which partial areasof the biometric sample are to be transferred to the data carrier afterthe comparison of the public partial area or areas with the sample inthe processing unit. Moreover, this partial area of the biometric samplewill have been affected in the same manner (for example, the distancebetween the lines in a fingerprint varies with the force used by theindividual when applying his finger to the sensor) as the partial areawhich was compared with the public part of the template, which resultsin quicker and safer identification.

As an alternative to a partial area, the public part of the biometrictemplate may contain information about the mutual positioning of aplurality of features of a predetermined type in the digital image ofthe individual-specific parameter. These features can be, for example,line ends and line branches. The mutual positioning thereof can be usedto determine the orientation of the template relative to the sample bymatching the features in the public part of the template with thefeatures in the sample. Preferably the public part of the templatecomprises at least five such features. The type of features may, butneed not, be included in the public part of the template. Furthermorethe features can be used to determine a reference point, which cancorrespond to, for example, a predetermined of the features.

The private partial area or areas of the template can be placed in thesame fashion in relation to the public partial area for all templates.Alternatively, the private partial area or areas can be selectedindividually for each template so as to contain as much information ofinterest as possible. In the latter case, the public part of thebiometric template further contains information about how the privatepartial area or areas are placed in relation to the reference point.

The information can then be used to select in the external processingunit which partial areas of the sample are to be sent to the datacarrier for comparison with the private partial area or areas. Theinformation can be available in the form of coordinates which arerelated to the reference point, for instance the centre in a publicpartial area.

In a preferred embodiment, the portable data carrier further comprisesat least one threshold value which indicates to which extent the privatepartial area should correspond to a corresponding partial area of thebiometric sample for these two partial areas to be considered tooriginate from the same individual. By the threshold value being storedin the data carrier, it may be set at different levels in different datacarriers, so that the security requirements can be adjusted to differentsituations. The threshold value can even be set individual-specifically.

In a preferred embodiment the threshold value is stored in the privatepart of the template.

The portable data carrier suitably comprises a communication means viawhich the public part of the biometric template is adapted to betransferred to the external processing unit. The communication means canbe intended for wireless communication, for instance inductivetransmission or transmission by means of radio signals. However, it iscurrently preferred for the data carrier to have one or more contactsfor galvanic contact with the external processing unit.

The portable data carrier further suitably comprises a signal processingmeans which is adapted to carry out a comparison between the privatepart of the template and at least part of the biometric sample. Thesignal processing means may comprise a suitably programmed processor orspecifically adapted hardware, such as an ASIC (Application SpecificIntegrated Circuit) or an FPGA (Field Programmable Gate Array).

The portable data carrier is preferably a smart card. These cards can beof different standard types, such as Java or MULTOS cards, which aresimple and inexpensive types of data carrier which can easily be adaptedto different applications and which are easy for a user to carry. Astandard type smart card which contains data about a certain user canthus be used in a plurality of situations since it is preciselystandardised and since the operating system on the card handles thefiles in such manner that the handling of the files is independent ofthe application in which the card is used.

According to a second aspect, the invention relates to a method forbiometric checking of identity in a processing unit. The method ischaracterised by the steps of receiving a biometric sample and a publicpart of a biometric template, which has a private part stored in asecond unit and adapted to be used exclusively in the second unit,comparing the received public part of the template with the biometricsample and, when a comparison criterion has been satisfied, transferringat least part of the biometric sample to the second unit for furthercomparison with the private part of the biometric template.

The advantages of the method are evident from the discussion regardingthe data carrier. The second unit can be a portable data carrier. It canalso be a stationary unit, with which the processing unit communicates.The method is especially usable when the processing unit has poorsecurity for carrying out the biometric checking of identity and whenthe second unit has limited processor capacity and/or when, for variousreasons, it is desirable to limit the quantity of data to be transferredfrom the processing unit to the second unit.

The method can be implemented as a computer program which is executed bya processor in the processing unit. To this end, the invention concernsaccording to a third aspect a computer program product comprisingprogram code which, during execution in a computer, carries out a methodaccording to claims 15-22.

According to a fourth aspect, the present invention relates to aprocessing unit for use in biometric checking of identity, saidprocessing unit comprising means for carrying out a method according toclaims 15-22.

The means may comprise a processor with suitable software. It mayalternatively comprise specially adapted hardware. The processing unitcan be a suitably programmed general computer with means, for instance acard reader, which permit exchange of information with a second unit. Itcan also be a special card reader which has been provided with hardwareand/or software which enables carrying out the above-described methoddirect in the card reader. The above means suitably also comprise acommunication means for communication with the second unit.

The comparison criterion used in the processing unit to determinewhether parts of the biometric sample are to be sent to the data carriermay vary between different applications, depending on which securitylevel is desirable. The criterion can easily be entered in theprocessing unit by a person skilled in the art who is responsible forthe current security system, or it can be stored in the software.

In a preferred embodiment, the processing unit further comprises asensor for recording the biometric sample. That means that no extraequipment need be connected to the processing unit and the recording andthe preprocessing, if any, can thus be integrated so that the procedureas from the recording of the user's biometric sample up to and includingthe transfer to the portable data carrier will be quick. Also securityincreases since the biometric sample need not be transferred between aspecial recording unit and the processing unit. Alternatively, thesensor can be located in a separate unit, from which the recordedbiometric sample is transferred to the processing unit.

According to a fifth aspect, the invention relates to a method ofproducing a biometric template, comprising the steps of recording abiometric sample which represents an individual-specific parameter;selecting a first part of the biometric sample; selecting a second partof biometric sample; storing the selected first and second parts in amemory in a first unit in a public and a private part, respectively, ofa biometric template, the private part being adapted to be usedexclusively in the first unit and the public part being adapted to beused outside the first unit.

The first unit can be a portable data carrier, especially a smart card.

When producing the template, a recording of a biometric sample thus ismade according to a prior-art method, in which the result is, forinstance, a digital image of the current biometric sample. In thissample, a private and a public part are then selected. The selection ofthe first and the second part means that the quantity of data that needbe stored in the data carrier decreases to a considerable extent, andthe advantages arising in consequence of this have been discussed above.After the parts have been selected, they are transferred to the datacarrier and stored permanently in the memory thereof.

According to a preferred embodiment of the above method, the selectionof the first and the second part each comprises selection of at leastone partial area of a digital image, each partial area being selectedaccording to a predetermined public and, respectively, private selectioncriterion.

The selection criterion can vary according to how safe theidentification is to be made. For example, the public and, respectively,the private partial areas can either be selected in the same way for allindividuals, or be selected in a unique way to each individual, wherethe areas which are of greatest interest from the viewpoint ofidentification are selected. However, the public partial area or areasare advantageously selected in such manner that they will be easy tofind in the comparison with the biometric sample. Consequently, a quickmatch can be carried out in the processing unit. The private partialareas, however, can be selected according to other criteria since theirposition in the biometric sample can be related to the position of thepublic partial area and a quick match can therefore still be achieved.

The method can be accomplished in specially adapted hardware or softwareor in a convenient combination thereof.

To that end, the invention concerns, according to a fifth aspect, acomputer program product comprising program code which, during executionin a computer, carries out a method according to claims 28-34.

According to a sixth aspect, the invention also relates to a method forcarrying out biometric checking of identity, comprising the steps ofrecording a biometric sample which represents an individual-specificparameter; comparing in a first unit a public part of a biometrictemplate, which public part has been received from a second unit, withthe biometric sample to find out whether a first predeterminedcomparison criterion has been satisfied; selecting, if the firstcomparison criterion has been satisfied, at least part of the biometricsample according to a predetermined selection criterion and transferringsaid at least part to a second unit; comparing in the second unit saidat least part of the biometric sample with a private part, stored in thesecond unit, of the biometric template to find out whether a secondpredetermined comparison criterion has been satisfied.

The advantages of this method will be evident from the discussion above.The first predetermined comparison criterion can be a predetermineddegree of correspondence between the public part and the biometricsample, for instance a certain number of matching features or a certainnumber of matching pixels in two overlapping partial areas. The secondcomparison criterion can be a predetermined degree of correspondencebetween the private part of the template and part of the biometricsample. This comparison criterion can advantageously be stored in thesecond unit, and preferably in the private part of the template so asnot to be accessible from outside.

The method can be accomplished in specially adapted hardware, insoftware or in a suitable combination thereof. To this end, theinvention relates according to a seventh aspect to computer softwarecomprising program code which, during execution in a computer, carriesout a method according to claims 36-37.

According to an eighth aspect, the present invention relates to use of abiometric template which is divided into a private part adapted to beexclusively used in a unit in which the template is stored, and a publicpart adapted to be transferred to and used in an external processingunit.

As an example of use, storing in electronic form of such a template canbe mentioned.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will now be described in more detail by way of anembodiment with reference to the accompanying schematic drawings.

FIG. 1 is a schematic drawing illustrating a portable data carrier and aprocessing unit according to the invention.

FIG. 2 is a block diagram illustrating a method according to theinvention of producing a biometric template with a private and a publicpart and storing this in a portable data carrier.

FIG. 3 is a block diagram illustrating a method according to theinvention of performing a biometric identity check.

FIGS. 4 a and b show two different positionings of private and publicpartial areas of a biometric sample for storage in the form of atemplate in a portable data carrier.

DESCRIPTION OF PREFERRED EMBODIMENTS

FIG. 1 is a schematic view of a system according to the invention, whichconsists of a portable data carrier 1 in the form of a smart card and aprocessing unit 2. The system is intended to be used for biometricidentity check based on fingerprints.

The smart card 1 is an ordinary standard type card, for instance a Javaor MULTOS card, and has a communication means 3 which is adapted tocommunicate with the processing unit 2. The communication means 3 maycomprise one or more metal contacts which make it possible for theprocessing unit to read information on the smart card. The communicationmeans 3 can alternatively comprise circuits which enable wirelesscommunication between the smart card and the processing unit, e.g.circuits for inductive transmission of information or for radiocommunication. The smart card 1 further has a processor 5 and a memory6. The memory 6 contains sensitive information on the one hand in theform of computer files to which the person using the system wishes togain access and, on the other hand, in the form of a biometric templatewhich has a private part that never leaves the smart card and a publicpart that is allowed to leave the smart card. In addition to thesensitive information and the template, the memory 6 also comprisessoftware which the processor 5 uses, for example, to compare thetemplate with a biometric sample.

The processing unit 2 can be a device which is specially designed tocarry out biometric identity check or a standard type computer which hasbeen provided with suitable software and a card reader which can readthe information on the smart card 1. The computer comprises a processor7, which is used in the preprocessing of the user's biometric sample andin the comparison between this and the public part of the template. Theprocessing unit further comprises a sensor 8 for recording afingerprint. The sensor can be integrated with the processing unit or beconnected thereto as a separate unit. The sensor is preferably of acapacitive type but it can also be, for instance, optical, thermal orpressure-sensitive. The sensor 8 is connected to the processor 7. Theprocessing unit 2 further comprises a communication means 4 which makesit possible for the processing unit to read information on the smartcard 1. The communication means may comprise one or more metal contactswhich produce galvanic contact with one or more metal contacts on thesmart card or circuits for inductive transmission of information or fortransmission by means of radio signals. The processing unit 2 alsocomprises a memory 10 in which software is stored for the preprocessingof the biometric sample which the processor 7 carries out. The memory 10also comprises software which, for example, controls how the comparisonbetween the preprocessed biometric sample and the public part of thebiometric sample is to be carried out, which comparison criteria are tobe used, and which part or parts of the biometric sample are to betransferred from the computer 2 to the smart card 1. The processing unit2 also has circuits 11 for external communication with other units, suchas additional sensors or information-carrying units. The communicationbetween the different units in the computer 2 and on the smart card 1,respectively, occurs via a data bus (not shown).

FIG. 2 is a block diagram of a method of producing a biometric templatewith a private and a public part. It is here assumed that the method iscarried out by means of a system according to FIG. 1. First, in step 20,a digital image in grey scale of the user's fingerprint is recorded bymeans of the sensor 8. This image thus constitutes a digitalrepresentation of the fingerprint. The recorded image is checked so thatit is ensured, for instance, that there is really a fingerprint in theimage, that the fingerprint takes up a sufficiently large part of theimage and that the fingerprint is sufficiently clear.

It is checked, among other things, whether the user has applied hisfinger with sufficient pressure on the sensor 8 and so that any moistureon the user's finger has not made it impossible for the sensor 8 todistinguish between “ridges” and “valleys” on the finger. If necessary,the step of recording is repeated.

When a digital image in grey scale of sufficient quality has beenrecorded by the sensor 8, a binarisation of the image occurs. Thebinarisation implies that the pixels of the image are compared with agrey scale threshold value. The pixels which have a value smaller thanthe grey scale threshold value are converted to white and those having avalue greater than the grey scale threshold value are converted toblack. The grey scale threshold value can be the same for the entireimage or vary between different parts of the image. The binarisationalgorithm can also be refined, so that the pixels are compared with thesurroundings, so as to prevent, for example, individual pixels frombeing white if all the surrounding pixels are black. Additionalpreprocessing of the image can also be carried out, such as change ofresolution and contrast improvement.

After binarisation, a partial area, below referred to as public partialarea, of the image is selected in step 21 to be stored in a public partof a template. The area can be selected in different ways. One way is touse the following three quality criteria: 1) Distinctness, i.e. how easya partial area is to binarise, 2) Uniqueness, i.e. how unique a partialarea is, and 3) Geographic location, i.e. where a partial area islocated in the fingerprint.

For instance the uniqueness can be checked by correlating the partialarea with the surroundings and selecting a partial area with a smalldegree of correlation with the surroundings. Alternatively, it ispossible to search out partial areas with features, i.e. points where afingerprint line branches off or ends.

As regards the geographic location, partial areas in the centre of theimage are preferred since then there is a minimum risk that the partialareas are not included in a later recorded sample. Moreover, the imageof the fingerprint will be least deformed in the centre when the userapplies his finger with different pressures on the sensor.

The partial area which best corresponds to the above quality criteria isselected to constitute the public partial area. Preferably, a singlepublic partial area in the centre of the image is selected so that aslittle information as possible about the user's fingerprint is availablein the public part of the template. However, a plurality of publicpartial areas can be selected to achieve safer matching of the publicpart of the template with the biometric sample and thus obtain saferorientation of the template in relation to the sample.

When the public partial area has been selected, at least one, butpreferably a plurality of partial areas, below referred to as privatepartial areas, are selected, in step 22, for storage in a private partof the template on the smart card 1. The private partial areas arepreferably selected according to the same quality criteria as the publicpartial area or areas. Preferably, six private partial areas areselected. More or fewer partial areas can be selected according to thedesired security level, the desired quickness in matching and theavailable processor capacity on the smart card.

FIGS. 4 a and 4 b show examples of how public and private partial areascan be located in an image of a fingerprint. In FIG. 4 a, there is asingle public partial area A located in the centre and nine privatepartial areas B-J. In FIG. 4 b there are seven public partial areas 101,201, 301, . . . , 701 and the same number of private partial areas 102,202, 302, . . . , 702. In this case, the private partial areas areselected so as to be positioned in immediate connection with therespective public partial areas.

The size of the selected public and private partial areas is in thisembodiment 48×48 pixels, but can easily be adjusted by a person skilledin the art according to the current requirements.

In connection with the selecting of the private partial areas, alsotheir location in relation to a reference point is determined. Thereference point can be selected, for instance, to be the centre in thepublic partial area or in one of these if there are more. Otherwell-defined reference points, for instance by means of features, can ofcourse also be selected. The locations of the private partial areas areindicated as coordinates in relation to the reference point. Thecoordinates are stored as part of the public part of the template.

Before the template is transferred to the smart card 1, a test matchingis made with an additional image of the user's fingerprint made by meansof the sensor 8. The test matching is carried out according to themethod that will be described below with reference to FIG. 3. If theadditional image and the template match each other, the template isconsidered to be recordable.

In step 23, the public and the private part of the template are thentransferred from the processing unit 2 via the communication circuits 3,4 to the memory 6 of the smart card 1. The public part of the templatewill thus contain the public partial area or areas as well ascoordinates for the location of the private partial areas in relation toa reference point. Its private part will contain the private partialareas. In the private part, it is also possible to store comparisoncriteria in the form of threshold values for which degree of matching isto be achieved, when matching of the private partial areas with samplepartial areas, for the template and the sample to be considered tooriginate from the same individual. For example, the threshold valuesmay comprise a first threshold value which indicates to what extent anindividual private partial area is to match a corresponding partial areain the biometric sample. This first threshold value may apply to all theprivate partial areas. The threshold values may further comprise asecond threshold value which indicates how many of the private partialareas must satisfy the first threshold value. They may also comprise athird threshold value for the extent to which the private partial areasare to match the corresponding sample partial areas. The thresholdvalues may, but need not, apply to the public partial area.

The partial areas are preferably stored in the form of compressed bitmaps.

When the template has been transferred, additional sensitive informationcan, if desired, be transferred from the computer 2 and stored in thememory 6 of the smart card 1. The recording of a template for the cardholder is usually made only once. The other sensitive information,however, can be exchanged when necessary.

FIG. 3 shows a method for carrying out biometric identity check by meansof a system according to FIG. 1 which comprises a smart card 1, in whosememory a template with a private and a public part is stored, as well asprocessing unit 2.

A person whose identity is to be checked first places his smart card 1in a card reader which is integrated with or connected to the processingunit 2. He then places his finger on the sensor 8 and a digital image ingrey scale is recorded in step 30 in the same way as described above.The image, which is a digital representation of the person'sfingerprint, can be referred to as a biometric sample or a fingerprintsample. The quality of the image is checked preferably in the same wayas in the recording of the template and is binarised. Subsequently theprocessing unit 2 reads the public part of the template on the smartcard 1 via the communication circuits 3, 4.

In step 31, the public partial area included in the public part of thetemplate is matched or compared with the binarised biometric sample. Thematching can also be carried out with the entire sample or preferablywith a part of a predetermined size, for instance 100×100 pixels, in thecentre of the sample. In the matching, the public partial area “sweeps”over the sample image and in every position a comparison is carried outpixel by pixel. If a pixel in the template corresponds with a pixel inthe sample image, a given value, for example 1, is added to a sum. Ifthe pixels do not correspond, the sum is not increased. When the publicpartial area of the template has been swept over the entire sampleimage, a position is obtained where the public partial area of thetemplate best overlaps the sample image. The public partial area canalso be rotated in relation to the sample image to find out whether abetter matching can be obtained.

When the translation and the rotation have been made and the bestmatching position for the sample fingerprint and the public partial areaof the template has been found, the obtained matching value is comparedin step 32 with a predetermined first comparison criterion, which inthis case is a reference sum. If the matching value is smaller than thereference sum, the identity check is considered to have failed, step 33,but if the matching value is equal to or greater than the reference sum,the process proceeds in step 34.

By the matching of the public partial area of the template with thesample image, it has now been established how the template and thesample image are oriented in relation to each other. Thus, the point inthe sample image which corresponds to the reference point in thetemplate can be established. Then the coordinates in the public part ofthe template are used to determine which parts of the sample image areto be sent to the smart card to be compared with the private partialareas. More specifically, in step 34 a partial area of a predeterminedsize is selected round each point which is defined by the coordinates inthe public part of the template. However, the sample partial areasshould be slightly greater than the corresponding private partial areasin the template to compensate for any deformation of the fingerprint ifthe user's finger has been applied with a different pressure on thesensor when recording the sample image. These sample partial areas arethen transferred to the smart card.

The areas can be transmitted in a predetermined sequence so that theprocessor on the smart card knows which area is which. As a furtheralternative, coordinates for the positioning of the sample partial areascan be transmitted as well.

In step 35, the processor 5 on the smart card 1 compares the transmittedsample partial areas with the private partial areas in the private partof the template. This matching is much less time-consuming than if theprivate partial areas, for example, should be matched with the entiresample image since the private partial areas need now only be matched ina limited number of positions with corresponding sample partial areas.If the position of rotation has been established in the processing unit,no rotations need be made. For instance, the matching can be made in themanner described above where a number of points is calculated on thebasis of pixel identity. When the transferred sample partial areas havebeen compared with the private partial areas of the template, a totalmatching value between 0% (i.e. no match at all) and 100% (i.e. completematch) is obtained. This matching value is compared with a secondcomparison criterion in the form of a predetermined threshold value,step 36, which can be stored in the private part of the template. If thematching value is equal to or greater than the threshold value, theidentity check is considered successful, step 37, and the user gainsaccess to the sensitive information stored on the card. If the matchingvalue is lower than the threshold value, the identity check isconsidered to have failed, step 33, and the user is refused access tothe sensitive information. Alternatively, first the matching value ofeach individual partial area can be compared with a threshold value andthe number of matching partial areas can be determined.

A more comprehensive description of how partial areas in a fingerprintcan be selected and how a template area can be compared with a biometricsample area is to be found in Applicant's International PatentApplication No. PCT/SE99/00553.

Although a special embodiment of the invention has been described above,it is obvious to those skilled in the art that many alternatives,modifications and variations are feasible in the light of the abovedescription.

For example, it is possible to use more than one partial area in thepublic part of the template. The advantage of this is that a saferinitial identity check and a safer determination of how the template isoriented in relation to the sample image are achieved. A furtheradvantage is that if a user has injured his finger so that the firstpartial area does not match, a second public partial area can possiblymatch. Moreover the possibilities of orienting a template in relation toa sample image increase if sample image is displaced in relation to thetemplate.

In the example above, the public part of the template comprises apartial area of the reference fingerprint image which is recorded whenthe template is produced. An alternative can be to let the public partcomprise a description of the mutual positioning and, possibly, the kindof a plurality of features of a predetermined type. These features aretransferred in the same way as the public partial area and matched withfeatures in the sample image to establish the orientation of thetemplate in relation to the sample image and, based on this orientation,a reference point which may consist of a predetermined of said featuresand on the basis of which the sample partial areas to be transferred tothe smart card can be determined.

The public part of the template may also comprise other informationwhich makes it possible to determine a reference point in the sampleimage, for instance a specification of a reference point on the basis ofa relationship between line transitions or the like.

It would also be possible to let the public part of the template containmerely information, for instance coordinates, which indicates thepositioning of the private partial areas in relation to a referencepoint and to let the reference point be a predetermined point in theactual fingerprint, i.e. not in the image, which point can be identifiedin a safe manner. PCT/SE99/00553 discloses different methods ofsearching out a reference point in a fingerprint.

In the example above, it is described that the private partial areas areselected according to certain quality criteria. It is, of course,possible to select these areas according to other criteria. It may be avariant to always select the areas in a predetermined position inrelation to the reference point. In such a case, the public part of thetemplate need not contain coordinates for the positioning of the privateareas.

In the example above, the template is stored in a portable data carrier.It could also be advantageous to use the described method incommunication between a processing unit and a stationary data carrier,such as a stationary computer. Such an example could be the use ofbiometric information to verify a user's identity when he wants toconnect to, for instance, a bank on the Internet. The biometric templatecan then be stored in a stationary data carrier at the bank, while theuser has a fingerprint sensor and software to carry out that part of theabove method that is carried out in the processing unit. The advantageof using the method in this application, where the calculating capacityof the bank does not need to constitute a problem, would be that asignificantly smaller amount of information need be transmitted from theuser to the bank in the verification of the user's identity.

For instance, the areas of the image that are selected for the matchingcan be selected based on criteria completely different from thosedescribed above. Completely different types of biometric data can alsobe used, such as the user's voice and a digital representation thereofin the form of a frequency spectrum, or the user's iris. Therefore theinvention is considered to comprise all such alternatives, modificationsand variations that are within the scope of the appended claims.

Finally, it should be pointed out that the above described comparison ofa public partial area with the biometric sample can be carried out inmany other ways than the calculation of number of points as describedabove. For example, it is possible to use multiplication of pixelsmatching each other and subsequent integration in order to obtain acorrelation or logic XOR (exclusive Or) for corresponding pixels andsubsequent summing up. The matching can also be made on non-binarisedimages.

1. A portable data carrier, comprising: a memory with a biometrictemplate which is intended to be compared with a biometric sample foridentity check, wherein the biometric template is divided into a) aprivate part which is adapted to be exclusively used in the portabledata carrier, wherein said exclusive use includes comparison of at leasta part of said biometric sample with said private part and b) a publicpart which is adapted to be transferred to and used in an externalprocessing unit, and wherein the public part of the biometric templatecomprises at least one partial area, which constitutes a public partialarea, of a digital image of an individual-specific parameter, and thepublic and private parts are non-overlapping areas in the digital image.2. A portable data carrier as claimed in claim 1, wherein the privatepart of the biometric template comprises at least one partial area,which constitutes a private partial area, of the digital image of theindividual-specific parameter.
 3. A portable data carrier as claimed inclaim 1, wherein the individual-specific parameter is a fingerprint. 4.A portable data carrier as claimed in claim 1, wherein the public partof the biometric template comprises information which is intended to beused for determining a reference point in the biometric sample, whichreference point corresponds to a reference point in the biometrictemplate.
 5. A portable data carrier as claimed in claim 1, wherein thepublic part of the biometric template comprises information which isintended to be used for determining how the template is oriented inrelation to the biometric sample.
 6. A portable data carrier as claimedin claim 2, wherein the number of private partial areas is greater thanthe number of public partial areas.
 7. A portable data carrier asclaimed in claim 2, wherein at least one private partial area is locatedin immediate connection with a public partial area in the digitalrepresentation.
 8. A portable data carrier as claimed in claim 2,wherein the public part of the biometric template further comprisesinformation about how said at least one private partial area is locatedin relation to a reference point.
 9. A portable data carrier as claimedin claim 2, wherein the private part of the template comprises at leastone threshold value which indicates to what extent said at least oneprivate partial area is to match a corresponding partial area of thebiometric sample for these two partial areas to be considered tooriginate from the same individual.
 10. A portable data carrier asclaimed in claim 1, further comprising a communication means, via whichthe public part of the biometric template is adapted to be transferredto the external processing unit.
 11. A portable data carrier as claimedin claim 1, further comprising a signal processing means which isadapted to carry out a comparison between the private part of thetemplate and at least part of the biometric sample.
 12. A portable datacarrier as claimed in claim 1, wherein the portable data carrier is asmart card.
 13. A method for biometric identity check in a processingunit, comprising the steps of: receiving a biometric sample and a publicpart of a biometric template, the biometric template further has aprivate part that is stored in a second unit and that is adapted to beexclusively used in the second unit, said public part of the biometrictemplate comprising at least one partial area in a first digital imageof an individual-specific parameter, the public and private parts arenon-overlapping areas in the first digital image; comparing the receivedpublic part of the template with the biometric sample; and transferring,when a comparison criterion has been satisfied, at least part of thebiometric sample to the second unit for further comparison in saidsecond unit with the private part of the biometric template.
 14. Amethod as claimed in claim 13, wherein said at least part of thebiometric sample comprises at least one partial area in a second digitalimage of an individual-specific parameter.
 15. A method as claimed inclaim 13, wherein the private part of the biometric template comprisesat least one partial area in the first digital image of theindividual-specific parameter.
 16. A method as claimed in claim 13,further comprising using the result of the comparison in order todetermine which at least part of the biometric sample is to betransferred to the portable data carrier.
 17. A method as claimed inclaim 13, further comprising determining a reference point in thebiometric sample by means of the public part of the template.
 18. Amethod as claimed in claim 17, wherein the received public part of thebiometric template comprises information about how said at least part ofthe biometric sample that is transmitted to the second unit is to belocated in relation to the reference point, and further comprising usingthis information to determine which at least part of the biometricsample is to be transferred to the second unit.
 19. A method as claimedin claim 13, wherein the biometric sample is a fingerprint.
 20. A methodas claimed in claim 13, wherein the second unit is a smart card.
 21. Acomputer program product stored on a computer readable medium comprisingprogram code which, during execution in a computer, carries out a methodaccording to claim
 13. 22. A processing unit for use in biometricidentity check, comprising: means for receiving a biometric sample and apublic part of a biometric template, the biometric template further hasa private part that is stored in a second unit and that is adapted to beexclusively used in the second unit, wherein the exclusive use includescomparison of at least a part of said biometric sample with said privatepart, said public part of the biometric template comprising at least onepartial area in a first digital image of an individual-specificparameter, the private and public parts are non-overlapping areas in thefirst digital image; means for comparing the received public part of thetemplate with the biometric sample; and means for transferring, when acomparison criterion has been satisfied, at least part of the biometricsample to the second unit for further comparison within the second unitwith the private part of the biometric template.
 23. A processing unitas claimed in claim 22, wherein said means for receiving comprise aprocessor and a communication means.
 24. A processing unit as claimed inclaim 22, further comprising a sensor for recording the biometricsample.
 25. A method for producing a biometric template, comprising thesteps of: recording a biometric sample in the form of a digital image ofan individual-specific parameter; selecting a first part in thebiometric sample, said first part comprising at least one partial area,which constitutes a public partial area, of the digital image; selectinga second part in the biometric sample which does not overlap the partialarea of the first part; and storing the selected first and second partin a memory in a first unit in a public part and a private part,respectively, of a biometric template, the private part being adapted tobe exclusively used in the first unit, wherein the exclusive useincludes comparison of at least a part of said biometric sample withsaid private part, and the public part being adapted to be used outsidethe first unit.
 26. A method as claimed in claim 25, wherein selecting asecond part comprises selecting at least one partial area, whichconstitutes a private partial area, in the digital image.
 27. A methodas claimed in claim 26, further comprising determining the positioningof the private partial area in relation to a reference point which isdefined by the public part of the template, and storing informationabout the positioning in the public part of the template.
 28. A methodas claimed in claim 26, further comprising storing in the first unit athreshold value which indicates to what extent said at least one privatepartial area is to match a corresponding partial area of the biometricsample for these two partial areas to be considered to originate fromthe same individual.
 29. A method as claimed in claim 25, wherein thedigital image is a fingerprint.
 30. A method as claimed in claim 25,wherein the first unit is a smart card.
 31. A computer program productstored on a computer readable medium that comprises program code which,during execution in a computer, carries out the method according toclaim
 25. 32. A method for carrying out biometric identity check,comprising the steps of: recording a biometric sample which representsan individual-specific parameter; comparing in a first unit a publicpart of a biometric template, which public part has been received from asecond unit and which public part comprises at least one partial area ofa first digital image of an individual-specific parameter, with thebiometric sample in order to find out whether a first predeterminedcomparison criterion has been satisfied; selecting, if the firstcomparison criterion has been satisfied, at least part of the biometricsample according to a predetermined private selection criterion andtransferring said at least part of the biometric sample to the secondunit; comparing, in the second unit, said at least part of the biometricsample with a private part, stored and adapted to be exclusively used inthe second unit, of the biometric template to find out whether a secondpredetermined comparison criterion has been satisfied, wherein thepublic and private parts are non-overlapping areas in the first digitalimage.
 33. A method as claimed in claim 32, wherein the biometric sampleis recorded as a second digital image of the individual-specificparameter.
 34. A method as claimed in claim 32, wherein said at leastpart of the biometric sample comprises at least one partial area of asecond digital image of the individual-specific parameter.
 35. A methodas claimed in 32, wherein the private part of the biometric templatecomprises at least one partial area of the first digital image of theindividual-specific parameter.
 36. A method as claimed in claim 32,wherein the second unit is a smart card.
 37. A computer program productstored on a computer-readable medium comprising program code which,during execution in a computer, carries out the method according toclaim 32.